Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2018
06:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Thieves Target ATMs In First US 'Jackpotting' Attacks

Attackers have been getting ATMs to illegally dispense cash by tampering with their internal electronics, US Secret Service warns.

Diebold Nixdorf and NCR, two of the world's largest ATM vendors, are warning their US customers about recent so-called jackpotting attacks where cybercriminals force terminals to illegally dispense large amounts of cash by tampering with their internal electronics.

In its customer alert, Diebold Nixdorf said that US Secret Service had informed the company on  Jan. 26 about jackpotting attacks moving from Mexico to the US for the first time. The attack that the Secret Service memo described was the same as one that Diebold Nixdorf had warned customers about in November 2017, said the alert, which the company made available to Dark Reading.

According to the ATM maker, attackers are removing the top hat of its Opteva front-load ATM terminals and replacing original hard disks with previously prepared replacement disks that contain an unauthorized image of the ATM's software.

In order to pair the new disk with the terminal, the attackers have to first reset its communications — a multi-step process that requires them to press and hold a button inside the ATM's locked safe. CCTV footage of the attacks shows the criminals using an industrial endoscope to look inside the safe so they can locate the button and then use an extension to press it down till the pairing is complete.

All Diebold Nixdorf front-load Advanced Function Dispenser (AFD)-based Opteva ATMs are vulnerable to the attack. Rear-load Opteva models are also vulnerable, but would be extremely difficult to attack using the current approach, the company said.

The attack circumvents the ATMs' physical security and authorization features to allow dispensers to be paired with rogue hard drives, the vendor said. "As the ATMs that are currently being targeted are older, legacy Diebold units, it's important to remind financial institutions to keep their security up to date," the company said in a statement.

In an emailed comment, NCR said it, too, had alerted customers of its ATM machines about the jackpotting attacks and offered guidance on how to protect against them. Though the attacks have targeted non-NCR systems so far, they represent the first logical attacks against ATMs in the US and therefore should be taken seriously by everyone.

In a January 26 press statement, the US Secret Service described the attacks as mainly targeting stand-alone ATMs of the sort routinely found in pharmacies, big box retailers, and drive-through locations. "Criminals range from individual suspects to large organized groups, from local criminals to international organized crime syndicates," the Secret Service statement said.

KrebsOnSecurity, which was first to report on the new attacks, said the thieves behind it appear to be using a new version of a jackpotting malware tool called Ploutus.D to steal money from cash dispensers. The blog quoted an unnamed source at the Secret Service saying that the crooks behind the jackpotting campaign have begun sending out so-called "cash out crews" to attack and compromise front-loading Diebold machines.

Once a terminal has been paired with a rogue hard drive, members of the crew contact co-conspirators who then take remote control of the ATM and force it to dispense cash. In previous attacks involving Ploutus-D, attackers have been able to force compromised ATMs to spit out up to 40 currency bills every 23 seconds, Krebs on Security said.

Attacks targeting ATMs are not new. As far back as 2010, a researcher with IOActive demonstrated how attackers could compromise ATMs and force them to dispense wads of cash. In 2016, a suspected Russian operation stole more than $2 million from ATMs, likely using just their smartphones.

Hands-On Hack

Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, says what makes the jackpotting attacks interesting is the level of access criminals need to pull it off. "What is strange in this scenario is the level of physical access obtained by the attackers," she says. "The only real benefit of this may be from infecting further machines without the bank becoming aware."

But even then, compromised ATMs would display an out-of-service notification, she says.

Attackers can steal money from ATMs using less complicated methods than jackpotting, she notes. "There are actually remote attacks that don't rely on physical access to the inside of the ATM, and travel via infection of a bank's core network," she says.  

Modems used for communications can also have vulnerabilities. "If the ATM is connected to the network via a modem, it is possible to find vulnerabilities in modems, which would allow an attacker to gain access," Galloway says.

For ATM operators, the attacks highlight the need for proper risk management, says Alan Brill, senior managing director, cybersecurity and investigations for Kroll. "The reports of the incidents suggest that certain older stand-alone ATMs are being targeted," he says. "Successful attacks require access to the ATM to [install] the malware and in at least some cases, a button had to be pushed, for which the bad guys used an endoscope."

Endoscopes fully equipped with lights and tools that could be used to press a button in the innards of an ATM are available on many sites for under $20, Brill says.

There are a few common-sense ways of managing the risk of jackpotting attacks, he notes. Unexpected visits by ATM technicians, for instance, should be a red flag. Stand-alone ATMs should be in a location that is visible to employees and covered by a security camera. Tamper-evident tape can be used to close off openings that would allow an attacker to insert an endoscope into a terminal.

ATM owners should also always know who to contact when there's a problem, and to authenticate the person whom they are calling.

When taking precautious against threats like jackpotting, it's also best to implement security against other threats as well, such as skimming."There’s an overlap in security so that protecting against one form of attack can help mitigate the risk of multiple forms of attack," Brill notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/30/2018 | 1:46:10 PM
Update: Suspects apprehended
Update... According to Brian Krebs today, the suspects were allegedly caught after (1) getting themselves pulled over, which lead to (2) police smelling marijuana in their car, leading to a search that, in addition to marijuana, yielded discovery of (3) "several backpacks full of cash".

How can people be so smart and so stupid?
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...